In various enterprise network deployments that involve proxies or other intermediate network devices, such as secure web gateways and Wide Area Network (WAN) optimization devices, one or more proxies can perform client Internet Protocol (IP) address spoofing (also known as reflect client-IP or RCIP). For example, a proxy can terminate a Transport Control Protocol (TCP) connection with a client and, masquerading as the client, open a TCP connection with a server.
A known problem in such deployments is asymmetric routing, according to which the routed path for packets destined to the server may not be the same as the routed path for packets destined for the client or proxy. This condition can be relatively stable or dynamic and intermittent. Because RCIP proxies spoof the client (i.e., the proxy uses the client IP address), the packets transmitted by the server (such as a TCP SYN/ACK packet) may reach the client directly if the routed return path is not the same. In this instance, the client, having no state information for the connection, attempts to terminate the TCP connection between the proxy and the server by transmitting connection-terminating packets. For TCP connections, the client may transmit a TCP RESET packet. The proxy can detect the asymmetric routing condition when it receives the connection-terminating message (e.g., a TCP RESET) from the client.
Network firewalls, a commonly deployed device in many network architectures, can prevent the detection of asymmetric routing. For example, many firewalls tend to filter or block packets—such as TCP SYN/ACK packets transmitted from the server, and the like—for which no connection state information exists and/or the connection state information indicates that a given packet is not expected. The operation of the firewall, therefore, may prevent the proxy from detecting asymmetric routing because the packets transmitted by the server are blocked, preventing the client from transmitting a TCP RESET. Additionally, many firewalls tend to filter or block packets—such as TCP RST packets transmitted from the client, and the like—for which no connection state information exists and/or the connection state information indicates that a given packet is not expected. The operation of the firewall, therefore, may prevent the proxy from detecting asymmetric routing because the packets transmitted by the client are blocked.